From 057c69d9c86a82aad4227f214388ba93fe2ccc81 Mon Sep 17 00:00:00 2001
From: Cali0707 <calumramurray@gmail.com>
Date: Sat, 5 Oct 2024 12:23:12 -0400
Subject: [PATCH] feat: add rw lock for provider access

Signed-off-by: Cali0707 <calumramurray@gmail.com>
---
 pkg/auth/verifier.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/pkg/auth/verifier.go b/pkg/auth/verifier.go
index c76c9df8b8d..1474af42d23 100644
--- a/pkg/auth/verifier.go
+++ b/pkg/auth/verifier.go
@@ -25,6 +25,7 @@ import (
 	"net"
 	"net/http"
 	"strings"
+	"sync"
 	"time"
 
 	"go.opencensus.io/plugin/ochttp"
@@ -52,9 +53,10 @@ import (
 type Verifier struct {
 	logger                     *zap.SugaredLogger
 	restConfig                 *rest.Config
-	provider                   *oidc.Provider
 	eventPolicyLister          v1alpha1.EventPolicyLister
 	trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister
+	m                          *sync.RWMutex
+	provider                   *oidc.Provider
 }
 
 type IDToken struct {
@@ -211,6 +213,9 @@ func (v *Verifier) verifyAuthZ(ctx context.Context, features feature.Flags, idTo
 
 // verifyJWT verifies the given JWT for the expected audience and returns the parsed ID token.
 func (v *Verifier) verifyJWT(ctx context.Context, jwt, audience string) (*IDToken, error) {
+	v.m.RLock()
+	defer v.m.RUnlock()
+
 	if v.provider == nil {
 		return nil, fmt.Errorf("provider is nil. Is the OIDC provider config correct?")
 	}
@@ -259,6 +264,8 @@ func (v *Verifier) initOIDCProvider(ctx context.Context, features feature.Flags)
 	}
 
 	// provider is valid, update it
+	v.m.Lock()
+	defer v.m.Unlock()
 	v.provider = provider
 
 	v.logger.Debug("updated OIDC provider config", zap.Any("discovery-config", discovery))